How to manipulate curve standards: a white paper for the black hat

This paper analyzes the cost of breaking ECC under the following assumptions: (1) ECC is using a standardized elliptic curve that was actually chosen by an attacker; (2) the attacker is aware of a vulnerability in some curves that are not publicly known to be vulnerable. This cost includes the cost of exploiting the vulnerability, but also the initial cost of computing a curve suitable for sabotaging the standard. This initial cost depends upon the acceptability criteria used by the public to decide whether to allow a curve as a standard, and (in most cases) also upon the chance of a curve being vulnerable. This paper shows the importance of accurately modeling the actual acceptability criteria: i.e., figuring out what the public can be fooled into accepting. For example, this paper shows that plausible models of the "Brainpool acceptability criteria" allow the attacker to target a one-in-a-million vulnerability. Keywords: Elliptic-curve cryptography, verifiably random curves, verifiably pseudorandom curves, nothing- up-my-sleeve numbers, sabotaging standards, fighting terrorism, protecting the children

[1]  Daniel J. Bernstein,et al.  Curve25519: New Diffie-Hellman Speed Records , 2006, Public Key Cryptography.

[2]  Peter Schwabe,et al.  Fast Elliptic-Curve Cryptography on the Cell Broadband Engine , 2009, AFRICACRYPT.

[3]  G. Ballew,et al.  The Arithmetic of Elliptic Curves , 2020, Elliptic Curves.

[4]  Tibor Jager,et al.  Practical Invalid Curve Attacks on TLS-ECDH , 2015, ESORICS.

[5]  Eric Bach,et al.  Asymptotic semismoothness probabilities , 1996, Math. Comput..

[6]  Marc Joye,et al.  Weierstraß Elliptic Curves and Side-Channel Attacks , 2002, Public Key Cryptography.

[7]  Daniel J. Bernstein,et al.  Elligator: elliptic-curve points indistinguishable from uniform random strings , 2013, IACR Cryptol. ePrint Arch..

[8]  Li Man-gui Study on Public Key Infrastructure in Support of Public Key Cryptographic Algorithm SM2 based on Elliptic Curves , 2011 .

[9]  Johannes Merkle,et al.  Elliptic Curve Cryptography (ecc) Brainpool Standard Curves and Curve Generation , 2010 .

[10]  Craig Costello,et al.  Rigid Parameter Generation for Elliptic Curve Cryptography , 2014 .

[11]  Johannes Merkle,et al.  Requirements for Standard Elliptic Curves , 2014, IACR Cryptol. ePrint Arch..

[12]  Tanja Lange,et al.  High-speed high-security signatures , 2011, Journal of Cryptographic Engineering.

[13]  Jean-Marie Chauvet,et al.  Fast GPGPU-Based Elliptic Curve Scalar Multiplication , 2014, IACR Cryptol. ePrint Arch..

[14]  Jennifer Seberry,et al.  Public Key Cryptography , 2000, Lecture Notes in Computer Science.

[15]  Craig Costello,et al.  Selecting elliptic curves for cryptography: an efficiency and security analysis , 2016, Journal of Cryptographic Engineering.

[16]  Alfred Menezes,et al.  The Elliptic Curve Digital Signature Algorithm (ECDSA) , 2001, International Journal of Information Security.

[17]  J. Rosser,et al.  Approximate formulas for some functions of prime numbers , 1962 .

[18]  Manfred Lochter,et al.  Twist Insecurity , 2015, IACR Cryptol. ePrint Arch..

[19]  A. Granville Smooth numbers: computational number theory and beyond , 2008 .

[20]  S. Galbraith,et al.  The Probability that the Number of Points on an Elliptic Curve over a Finite Field is Prime , 2000 .

[21]  Craig Costello,et al.  Elliptic Curve Cryptography (ECC) Nothing Up My Sleeve (NUMS) Curves and Curve Generation , 2014 .

[22]  Tim Güneysu,et al.  Efficient Elliptic-Curve Cryptography Using Curve25519 on Reconfigurable Devices , 2014, ARC.

[23]  Peter Schwabe,et al.  NaCl's Crypto_box in Hardware , 2015, CHES.

[24]  Peter Schwabe,et al.  NEON Crypto , 2012, CHES.

[25]  Eric Rescorla,et al.  Extended Random Values for TLS , 2009 .

[26]  Pierrick Gaudry,et al.  The mpFq library and implementing curve-based key exchanges , 2007 .

[27]  Igor E. Shparlinski,et al.  MOV attack in various subgroups on elliptic curves , 2004 .

[28]  J. McKee Subtleties in the Distribution of the Numbers of Points on Elliptic Curves Over a Finite Prime Field , 1999 .

[29]  Peter Schwabe,et al.  High-speed Curve25519 on 8-bit, 16-bit, and 32-bit microcontrollers , 2015, Des. Codes Cryptogr..

[30]  Torsten Schütze Requirements for Standard Elliptic Curves Position Paper of the ECC Brainpool , 2014 .

[31]  Jean-René Reinhard,et al.  Diversity and Transparency for ECC , 2015, IACR Cryptol. ePrint Arch..

[32]  Tanja Lange,et al.  On the Practical Exploitability of Dual EC in TLS Implementations , 2014, USENIX Security Symposium.